SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.

In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.

The attacks seem to peak in waves as campaigns distributing SamSam are executed. A notable recent example was a large hospital in New York that was hit with SamSam in April. The hospital declined to pay the attackers the $44,000 ransom demanded. It took a month for the hospital’s IT systems to be fully restored.

Defending against SamSam is more akin to a targeted attack than typical opportunistic ransomware. SamSam attackers are known to:

Gain remote access through traditional attacks, such as JBoss exploits

Deploy web-shells

Connect to RDP over HTTP tunnels such as ReGeorg

Run batch scripts to deploy the ransomware over machines

Earlier this week, ID Ransomwarespotted new variants of the SamSam ransomware. A review of the code (which decompiles cleanly with the tool ILSpy) indicates that little has changed, apart from some updates to the ransom note:

The ransom the victims must pay to recover their files is hardcoded in the malware. In this attack, it was:

1.7 Bitcoin ($4,600) for a single machine

6 Bitcoins ($16,400) for half the machines (allowing the victim to confirm they can recover their files)

12 Bitcoins ($32,800) for all of the machines

The most recent attacks appear to have been successful, at least from the attackers point of view. The Bitcoin address associated with this week’s attacks has received $33,000.

These new variants remind us that we must remain vigilant and utilize the latest threat indicators to detected new strains of existing malware. You can view the associated indicators in OTX.

About the Author:Chris Doman, AlienVaultI've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›